[linux] Vyriesene: Advanced routing

Ivan Malich malich na decef.elf.stuba.sk
Pondělí Říjen 21 09:29:04 CEST 2002 

> > Ono to fungovalo asi na polovicu. Zo strany lan1 a lan2 sa to chovalo
> > tak, ako som chcel. Vsetky pakety vsak opustali router z adresy 1.2.3.1
> > a smerovali na gw1.
> Zeby:
> http://lartc.org/howto/lartc.rpdb.multiple-links.html

Tak... konecne som si zohnal dostatocne mnozstvo volneho casu na
testovanie. Vysledok je takyto:

---BEGIN---
ifconfig $ext_if $ext_ip1 netmask $ext_mask1 broadcast $ext_bcast1
ifconfig $ext_if:1 $ext_ip2 netmask $ext_mask2 broadcast $ext_bcast2

ifconfig $int_if $int_ip1 netmask $int_mask1 broadcast $int_bcast1
ifconfig $int_if:1 $int_ip2 netmask $int_mask2 broadcast $int_bcast2

################################################################################

ip route add $int_net1 dev $int_if src $int_ip1 table s1
ip route add $ext_net1 dev $ext_if src $ext_ip1 table s1
ip route add default via $gw1 table s1
ip rule add from $int_net1 table s1
ip rule add from $ext_net1 table s1

ip route add $int_net2 dev $int_if src $int_ip2 table s2
ip route add $ext_net2 dev $ext_if src $ext_ip2 table s2
ip route add default via $gw2 table s2
ip rule add from $int_net2 table s2
ip rule add from $ext_net2 table s2

ip route add default via $gw1

################################################################################

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -X
iptables -Z

iptables -A FORWARD -i $ext_if -o $int_if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $int_if -o $ext_if -j ACCEPT

iptables -t nat -A POSTROUTING -o $ext_if -j SNAT -s $int_net1 --to-source $ext_ip1
iptables -t nat -A POSTROUTING -o $ext_if -j SNAT -s $int_net2 --to-source $ext_ip2

echo 1 > /proc/sys/net/ipv4/ip_forward
---END---

Vsetky premenne typu ext_* sa tykaju vonkajsej strany routra, premenne
int_* sa zasa tykaju vnutornej strany. Finta bola v tom, ze bolo treba
"rozumnym sposobom" :-) spojit routovacie pravidla s nastavenim
netfiltra.

O, ake proste, Dr. Watson. :-)

Ico

--
Ico <ico na podvodnik.cz> <malich na decef.elf.stuba.sk>
UNIX is user friendly. It's just selective about who its friends are.
Why use Windows, since there's a door???

Další informace o konferenci linux